Back to skill

Security audit

Auto Researcher

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only research workflow helper with disclosed web research, reporting, optional monitoring, and optional knowledge storage behavior.

Install only if you want an agent to help perform structured research. For private, proprietary, or personal topics, require confirmation before storing research notes, creating knowledge graph entries, enabling monitoring, scheduling recurring checks, or using any shell/exec tool.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The activation examples are broad natural-language phrases such as asking to research a topic or provide a report, without clear trigger boundaries separating ordinary conversation from intentional skill invocation. In agent systems, this can cause accidental activation, unexpected tool use, or prompt-routing into higher-capability workflows when the user did not explicitly opt in.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises deep research, knowledge graph construction, citation generation, and ongoing monitoring, but the description does not warn users that data may be collected, retained, or revisited over time. That omission can lead to silent persistence of searched topics, stored entities, and scheduled monitoring behaviors that users may not expect or consent to.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.